Re: Still unable to configure glue and rwm overlay correctly

["Andrew Kay" <andrewjkay@gmail.com>]

Howard,

Thanks for your response, as a result of checked out the head tag
within CVS, compiled and tested with the same configuration as before.

The glue overlay and rewrite rule now appear to be functioning
correctly when entries retrieved from the directories are rewritten,
the inetOrgPerson entries within the OpenLDAP portion of the unified
directory remain inetOrgPerson entries with all their attributes
(previously attributes referenced by the rewrite overlay were being
removed) and all user entries within the Active Directory portion are
rewritten correctly as inetOrgPerson entries.  There does appear to be
a problem with searching the directory using an attribute that is
being rewritten.

I have to directories being glued together,

	ou=XYZ, dc=xyz, dc=com				Microsoft Active Directory (ldap backend)
	ou=Extranet, ou=XYZ, dc=xyz, dc=com	OpenLDAP bdb (subordinate)

If I retrieve an entry from each directory using the cn attribute and
the base set to "ou=XYZ, dc=xyz, dc=com", I get the two directory
entries correctly rewritten (in the Active Directory case) and
correctly left alone (in the OpenLDAP case):

	extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ,
dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(cn=Andrew Kay)"
	Enter LDAP Password:
	# extended LDIF
	#
	# LDAPv3
	# base <ou=XYZ, dc=xyz, dc=com> with scope subtree
	# filter: (cn=Andrew Kay)
	# requesting: ALL
	#

	# Andrew Kay, Users, XYZ, xyz.com
	dn: cn=Andrew Kay,ou=Users,ou=XYZ,dc=xyz,dc=com
	objectClass: top
	objectClass: person
	objectClass: organizationalPerson
	objectClass: inetOrgPerson
	sn: Kay
	cn: Andrew Kay
	uid: Andrew
	mail: andrew.kay@xyz.com

	# search result
	search: 2
	result: 0 Success

	# numResponses: 2
	# numEntries: 1
	extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ,
dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)"
	Enter LDAP Password:
	# extended LDIF
	#
	# LDAPv3
	# base <ou=XYZ, dc=xyz, dc=com> with scope subtree
	# filter: (cn=John Smith)
	# requesting: ALL
	#

	# John Smith, Users, Extranet, XYZ, xyz.com
	dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com
	objectClass: inetOrgPerson
	cn: John Smith
	sn: Smith
	uid: john.smith
	userPassword:: am9obi5zbWl0aA==

	# search result
	search: 2
	result: 0 Success

	# numResponses: 2
	# numEntries: 1

In practice I want to use the uid attribute to retrieve the directory entry:

	extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ,
dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(uid=Andrew)"
	Enter LDAP Password:
	# extended LDIF
	#
	# LDAPv3
	# base <ou=XYZ, dc=xyz, dc=com> with scope subtree
	# filter: (uid=Andrew)
	# requesting: ALL
	#

	# Andrew Kay, Users, XYZ, xyz.com
	dn: cn=Andrew Kay,ou=Users,ou=XYZ,dc=xyz,dc=com
	objectClass: top
	objectClass: person
	objectClass: organizationalPerson
	objectClass: inetOrgPerson
	sn: Kay
	cn: Andrew Kay
	uid: Andrew
	mail: andrew.kay@xyz.com

	# search result
	search: 2
	result: 0 Success

	# numResponses: 2
	# numEntries: 1
	extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ,
dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)"
	Enter LDAP Password:
	# extended LDIF
	#
	# LDAPv3
	# base <ou=XYZ, dc=xyz, dc=com> with scope subtree
	# filter: (uid=john.smith)
	# requesting: ALL
	#

	# search result
	search: 2
	result: 0 Success

	# numResponses: 1

The query works perfectly against the Active Directory portion of the
unified directory, but doesn't return the user from the OpenLDAP
portion of the directory.  If a rerun the last query but set the base
explicitly to the OpenLDAP portion of the directory:

	extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ,
dc=xyz, dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
"(uid=john.smith)"
	Enter LDAP Password:
	# extended LDIF
	#
	# LDAPv3
	# base <ou=Extranet, ou=XYZ, dc=xyz, dc=com> with scope subtree
	# filter: (uid=john.smith)
	# requesting: ALL
	#

	# John Smith, Users, Extranet, XYZ, xyz.com
	dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com
	objectClass: inetOrgPerson
	cn: John Smith
	sn: Smith
	uid: john.smith
	userPassword:: am9obi5zbWl0aA==

	# search result
	search: 2
	result: 0 Success
	
	# numResponses: 2
	# numEntries: 1

I get the user, but unfortunately can't get the user if the base is
set to the unified directory base.

It seems to work correctly if I am dealing with:

	- an attribute that is the same in both directories (cn for example)
	- an attribute that is rewritten (uid works against the Active
Directory portion, although it must be rewritten as SAMAccountName
when performing the underlying query)
	- when I explicitly set the base to the OpenLDAP directory portion
and then perform a query referring to an entry within it

I hope I have explained the problem I'm having in sufficient depth, I
can send you the results of running slapd in "trace, args, filter,
parse" debug mode if you wish.

Thanks again for your help so far.


Andrew